Study: Default Encryption Won't Hinder Surveillance

Law enforcement and intelligence agencies will have plenty of chances to snoop on criminals, terrorists and citizens even as communications vendors enable default encryption on mobile devices, a study from Harvard University says.

FBI Director James Comey has spurred a debate with his comments that default encryption by the makers of mobile devices inhibits law enforcement and intelligence agencies, even with court orders, from collecting information terrorists and criminals they try to hide (see Is Idea of Backdoor Really Dead?).

But the report from Harvard University's Berkman Center for Internet & Society, Don't Panic: Making Progress on the Going Dark Debate, says default encryption will not greatly inhibit the ability of law enforcement and intelligence agencies to cull data about criminal and terrorist activities. Because of the way mobile devices and the Internet function, along with the rapid growth of the Internet of Things and networked sensors, the report contends police and intelligence services will have more opportunities to intercept communications from terrorists, criminals and ordinary citizens.

"The report explains why the risks to law enforcement is less than the police often believe they are," says Peter Swire, a former White House privacy counsel.

Not So 'Dark'

"Our issue with the metaphor is that we are trending toward the future in which communications and the ability of law enforcement to conduct surveillance is just not going to be what it is today," says David O'Brien, a Berkman senior researcher who was a member of the group that produced the report. "We don't think that's an accurate take on the situation. ... We really wanted to contextualize the debate by adding in some of these things that have not been part of the conservations."

The group's leader, Jonathan Zittrain, an Internet law professor at Harvard Law School, blogs that a number of human and technical weaknesses within the Internet ecosystem will increase to the point that they will likely create an advantage for the law enforcement and intelligence communities as data collection volume and methods proliferate.

"Consider all those IoT devices with their sensors and poorly updated firmware," Zittrain says. "We're hardly going dark when - fittingly, given the metaphor - our light bulbs have motion detectors and an open port. The label is 'going dark' only because the security state is losing something that it fleetingly had access to, not because it is all of a sudden lacking in vectors for useful information."

Report's Findings

The report reaches five conclusions:

End-to-end encryption and other technological architectures for concealing user data are unlikely to be adopted universally by companies because most businesses that provide communications services rely on access to user data to generate income and profit and enhance functionality, including user data recovery should a password be forgotten.

Software ecosystems tend to be disjointed. For encryption to become widespread and comprehensive, far more coordination and standardization than exists would be required.

IoT and networked sensors will grow significantly, with the potential to significantly change surveillance. The still images, video and audio captured by these devices could enable real-time intercept and recording with after-the-fact access. An inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.

Georgia Tech's Peter Swire discusses the impact of the Internet of Things on surveillance.

Metadata is not encrypted, and that's unlikely to change. This data, which includes for example, location data from cell phones and other devices, telephone calling records and header information in e-mail, needs to stay unencrypted for systems to operate. Metadata provides a massive amount of surveillance information that was unavailable before these systems became widespread.

These trends raise novel questions about how we will protect individual privacy and security. Today's debate is important, but for all its efforts to take account of technological trends, it is largely taking place without reference to the full picture.

Strong Business Case

The report makes a strong business case for why failing to get Apple, Google and other mobile device providers to stop default encryption wouldn't deter law enforcement's efforts to collect information from terrorists and criminals devices and Web accounts, says Swire, Georgia Tech law and ethics professor.

"This report is not about mathematics; it shows business reasons why evidence often will be accessible to law enforcement even when some data is encrypted," Swire says.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;